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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 

WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)^ Responsive to communication(s) filed on 29 August 2006 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-33 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-33 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) Q The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 1 19 
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application from the International Bureau (PCT Rule 17.2(a)). 
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Response to Amendment 



1 . This is in response to the request for continued examination filed 08/29/2006. 

2. Applicant's arguments with respect to claims 1-33 have been considered but are moot in 
view of the new ground(s) of rejection. 

Quotations of U.S. Code Title 35 

3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

4. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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Claim Rejections - 35 USC § 102 

7. Claims 1 and 29 are rejected under 35 U.S.C. 102(b) as being anticipated by U.S. Patent 
No. 5,539,906 ("Abraham"). 
Regarding claim 1 

Abraham teaches the invention including an automation security system, comprising: an asset 
component that defines an industrial automation device is taught as defining security functions 
for industrial process steps (see C 10 L 20-35); an access component that defines one or more 
security attributes associated with the industrial automation device is taught as a security 
manager 1 1 placing appropriate security entries into a security table 12 (see C 10 L 36-44); and a 
security component that regulates access to the industrial automation device based upon the 
security attribute is taught as accepting request to access the industrial automation device (see C 
10 L 1-15 and C 10 L 44-59). 
Regarding claim 29 

Abraham teaches the invention including a security schema for a factory automation system, 
comprising: a first data field that describes industrial automation devices is taught as defining 
security functions for industrial process steps (see C 10 L 20-35); a second data field that 
describes security parameters for the industrial automation devices is taught as a security 
manager 1 1 placing appropriate security entries into a security table 12 (see C 10 L 36-44); and a 
schema that associates the first and second data fields, the schema employed to limit access to 
the industrial automation devices based upon the security parameters is taught as accepting 
request to access the industrial automation device (see C 10 L 1-15 and C 10 L 44-59). 
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Claim Rejections - 35 USC § 103 

8. Claims 20, 24 and 28 are rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 6,957,348 ("Flowers") in view of U.S. Patent No. 5,539,906 ("Abraham"). 
Regarding claim 20 

Flower teaches the invention including an automation security system, comprising: a server that 
manages a network interface between networked automation devices and other devices 
attempting access to the networked automation devices is taught as a network security system for 
monitoring network traffic for signs of malicious activity including a vulnerability detection 
system (VDS) that gathering information about the network resources (see abstract and C 3 L 30- 
40); a security management module associated with the network interface that enforces an 
enterprise wide policy and to manage security threats directed to the networked automation 
devices is taught as a rules database that defines one or more vulnerabilities associated with the 
network resources (see abstract and C 3 L 41-55). 

Flower does not specifically disclose an industrial automation device in which a security 
management module is developed to manage security threats directed to the industrial 
automation device. 

However, Abraham teaches the invention including an industrial automation device in 
which a security management module is developed to manage security threats directed to the 
industrial automation device (see C 3 L 48 to C 4 L 4) for the purpose of controlling security of 
data elements which represent an industrial process and which are manipulated by a plurality of 
users devices on a data processing system. 
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Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security module of an industrial process of Abraham with the 
network security of Flower because it would provide for the purpose of controlling security of 
data elements which represent an industrial process and which are manipulated by a plurality of 
users devices on a data processing system. 
Regarding claim 24 

Flowers teaches the invention including an automation security methodology, comprising: 
electronically analyzing an automation device is taught as a network security system for 
monitoring network traffic for signs of malicious activity including a vulnerability detection 
system (VDS) that gathering information about the network resources (see abstract and C 3 L 30- 
40); programmatically modeling the automation device in accordance with network security 
considerations is taught as a rules database that defines one or more vulnerabilities associated 
with the network resources (see abstract and C 3 L 41-55); and developing a security framework 
for an automation system based in part on the modeling of a network access type automatically 
(seeC3L56 toC4L15). 

Flower does not specifically disclose an industrial automation device in which a security 
framework is developed for an automation system based in part on the modeling of the industrial 
automation device. 

However, Abraham teaches the invention including an industrial automation device in 
which a security framework is developed for an automation system based in part on the modeling 
of the industrial automation device (see C 3 L 48 to C 4 L 4) for the purpose of controlling 
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security of data elements which represent an industrial process and which are manipulated by a 
plurality of users devices on a data processing system. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security framework of an industrial process of Abraham with the 
network security of Flower because it would provide for the purpose of controlling security of 
data elements which represent an industrial process and which are manipulated by a plurality of 
users devices on a data processing system. 
Regarding claim 28 

Flowers teaches the invention including an automated security system for an automation control 
environment, comprising: means for defining one or more security attributes associated with at 
least one network request; means for processing the one or more security attributes is taught as a 
rules database that defines one or more vulnerabilities associated with the network resources (see 
abstract and C 3 L 41-55); means for automatically determining which network devices require 
security resources is taught as a network security system for monitoring network traffic for signs 
of malicious activity including a vulnerability detection system (VDS) that gathering information 
about the network resources (see abstract and C 3 L 30-40); means for controlling access to at 
least one of a network device based in part on the one or more security attributes (see C 3 L 56 to 
C4L15). 

Flower does not specifically disclose an industrial control environment in which 
controlling access to an industrial automation component based in part on the one or more 
security attributes. 
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However, Abraham teaches the invention including an industrial control environment in 
which controlling access to an industrial automation component based in part on the one or more 
security attributes (see C 3 L 48 to C 4 L 4) for the purpose of controlling security of data 
elements which represent an industrial process and which are manipulated by a plurality of users 
devices on a data processing system. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security framework of an industrial process of Abraham with the 
network security of Flower because it would provide for the purpose of controlling security of 
data elements which represent an industrial process and which are manipulated by a plurality of 
users devices on a data processing system. 

Claim Rejections - 35 USC § 102 

9. Claims 2-7 and 9-19 are rejected under 35 U.S.C. 102(b) as being anticipated by U.S. 
Patent No. 5,539,906 ("Abraham"). 
Regarding claim 2 

Abraham teaches the one or more or more security attributes including at least one of a role 
attribute, a time attribute, a location attribute, and an access type attribute (see abstract and C 7 L 
1-17). 

Regarding claim 3 

Abraham teaches the security component is based on at least one of a formal threat analysis, a 
vulnerability analysis, a factory topology mapping and an attack tree analysis (see C 1 1 L 8-23). 
Regarding claim 4 
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Abraham teaches the security component is based on at least one of automation and process 
control security, cryptography, and Authentication/Authorization/Accounting (AAA) (see 
abstract and C 2 L 21-27). 
Regarding claim 5 

Abraham teaches the asset component describes at least one of factory components and 
groupings, the factory components are at least one of sensors, actuators, controllers, I/O modules, 
communications modules, and human-machine interface (HMI) devices (see C 8 L 45-67). 
Regarding claim 6 

Abraham teaches the groupings include factory components that are grouped into at least one of 
machines, machines grouped into lines, and lines grouped into facilities (see C 9 L 34-50). 
Regarding claim 7 

Abraham teaches the groupings have associated severity attributes such as at least one of risk and 
security incident cost (see C 4 L 24-37). 
Regarding claim 9 

Abraham teaches a set of generic IT components and specifies parameters to assemble and 
configure the IT components to achieve flexible access to the industrial automation device (see C 
7 L 21-36). 
Regarding claim 10 

Abraham teaches the IT components include at least one of switches with virtual local area 
network (VLAN) capability, routers with access list capability, firewalls, virtual private network 
(VPN) termination devices, intrusion detection systems, AAA servers, configuration tools, and 
monitoring tools (see C 10 L 35-59). 
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Regarding claim 11 

Abraham teaches security parameters and policies that are developed for physical and electronic 
security for various component types (see C 3 L 1 7-25). 
Regarding claim 12 

Abraham teaches the security parameters and policies further comprising at least one of security 
protection levels, identification entry capabilities, integrity algorithms, and privacy algorithms 
(seeC 12L 27-37). 
Regarding claim 13 

Abraham teaches the security component includes at least one of authentication software, virus 
detection, intrusion detection, authorization software, attack detection, protocol checker, and 
encryption software (see C 1 1 L 24-30). 
Regarding claim 14 

Abraham teaches the security component at least one of acts as an intermediary between an 
access system and one or more automation components, and facilitates communications between 
the access system and the one or more automation components (see C 9 L 34-50). 
Regarding claim 15 

Abraham teaches the security attributes are specified as part of a network request to gain access 
to the one or more factory assets, the security attributes included in at least one of a group, set, 
subset, and class (see C 3 L 26-40). 
Regarding claim 16 

Abraham teaches the security component employs at least one authentication procedure and an 
authorization procedure to process the network request (see C 10 L 36-59) 
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Regarding claim 17 

Abraham teaches one or more security protocols including at least one of Internet Protocol 
Security (IPSec), Kerberos, Diffie-Hellman exchange, Internet Key Exchange (IKE), digital 
certificate, pre-shared key, and encrypted password, to process the network request (see C 3 L 
26-40). 

Regarding claim 18 

Abraham teaches at least one of an access key and a security switch to control network access to 
a device or network (see C 1 1 L 24-30). 
Regarding claim 19 

Abraham teaches the access key further comprises at least one of time, location, batch, process, 
program, calendar, GPS (Global Positioning Information) to specify local and wireless network 
locations, to control access to the device or network (see C 10 L 1-15). 
Regarding claim 30 

Abraham teaches the schema including at least one of an access role, an asset type, an access 
type, time information, address information, and location information (see abstract and C 7 L 1- 
17). 

Regarding claim 31 

Abraham teaches a response schema to provide status to a requesting network device (see C 1 1 L 
15-35). 

Regarding claim 32 

Abraham teaches the response schema including at least one of a status field, a time field, an 
access type field, an access location field, and a key field (see abstract and C 7 L 1-17). 
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Regarding claim 33 

Abraham teaches the response schema including an attachment field to indicate other security 
data follows the response schema (see C 7 L 21-36). 

Claim Rejections - 35 USC § 103 

10. Claim 8 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. Patent No. 
5,539,906 ("Abraham"). 
Regarding claim 8 

Abraham do not specifically teach an ISA S95 Model for Enterprise to Control System 
integration to integrate security aspects across or within respective groupings. "Official Notice" 
is taken that both the concept and advantages of providing an ISA S95 Model for Enterprise to 
Control System integration to integrate security aspects across or within respective groupings is 
well known and expected in the art. U.S. Patent Application Publication No. 2003/0014500 to 
Schleiss et al. discloses a preferred flow of communication between various process control and 
information technology systems are typically found within an enterprise defined by an ISA S95 
model international standard (see paragraphs 7 and 8). It would have been obvious to one of 
ordinary skill in the art to include the ISA S95 model for Enterprise to Control system to 
Abraham because it would provide for interacting between production or process control 
systems, enterprise resource planning systems and manufacturing execution systems to facilitate 
the integration of these systems. 
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11. Claims 21-23 and 25-27 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
U.S. Patent No. 6,957,348 ("Flowers") in view of U.S. Patent No. 5,539,906 ("Abraham"). 
Regarding claim 21 

Flowers teaches the security management module at least one of schedules audits, establishes a 
security policy, applies the policy from a single or distributed console, and generates reports that 
identify potential weaknesses in security (see C 3 L 12-29). 
Regarding claim 22 

Abraham teaches the security management module provides an interface to at least one of add, 
delete and modify security rights of an individual, a group, or a device and distribute security 
information to various controllers and control devices (see C 7 L 1-11). 
Regarding claim 23 

Abraham teaches at least one of: an authentication with the one or more servers to establish a 
secure link; a secure link to authenticate and authorize access to a requestor of the networked 
factory assets; and establishment of a secure session with the requestor if access is authorized 
(see C 1 1 L 8-23). 
Regarding claim 25 

Abraham teaches analyzing one or more security attributes to determine whether access should 
be granted to the one or more automation assets (see C 1 1 L 24-30). 
Regarding claim 26 

Abraham teaches the one or more security attributes further comprise at least one of a role, an 
asset type, a location, a time, and an access type (see abstract and C 7 L 1-17). 
Regarding claim 27 
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Abraham teaches at least one of: determining whether to grant access to the one or more 
automation assets; granting access from the one or more automation assets; and granting access 
from a network device associated with the one or more automation assets (see C 1 1 L 24-30). 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to examiner Thomas Pham\ whose telephone number is (571) 272- 
3689, Monday - Thursday from 6:30 AM - 5:00 PM EST or contact Supervisor Mr. Anthony 
Knight n\ (571) 272-3687. 

Any response to this office action should be mailed to: Commissioner for Patents, P.O. 
Box 1450, Alexandria VA 22313-1450. Responses may also be faxed to the official fax 
number (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Patent Examiner 
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